Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider a "set user permission for all vhosts" CLI command #1000

Closed
michaelklishin opened this issue Oct 18, 2016 · 13 comments · Fixed by #7197
Closed

Consider a "set user permission for all vhosts" CLI command #1000

michaelklishin opened this issue Oct 18, 2016 · 13 comments · Fixed by #7197
Assignees
@michaelklishin
Labels
enhancement
Milestone
3.11.9

Comments

@michaelklishin
Copy link
Member

Originally filed as rabbitmq/rabbitmq-management#293.

One thing that's immediately not obvious to me is what should happen when new vhosts are added, since this is an ongoing maintenance problem.

Also, as of 3.7.0 this can become a CLI plugin (once the new CLI is open sourced and integrated) instead of a built-in feature but some internal API hooks would help either way.
@coderanger
Copy link
Contributor

Something like a special vhost name for permissions (*?) where those permissions apply to all vhosts would also fit the bill and would simplify management accounts a lot.

@25schmekles
Copy link

Bump.
I am often applying permission for multiple users to dozens of vhosts at a time. A bulk permissions application tool would speed that process up significantly.

@sbert
Copy link

sbert commented Apr 10, 2021
edited
Loading

It will be very useful

For ex to use with datadog

@cdobbyn
Copy link

cdobbyn commented Dec 10, 2021

Very useful indeed. This is management overhead that's unnecessary.

newrelic monitoring.

@h0jeZvgoxFepBQ2C
Copy link

Yeah this would be great!

@michaelklishin michaelklishin self-assigned this Feb 6, 2023
@michaelklishin
Copy link
Member Author

I am leaning towards a new command and not a special virtual host name. It's a pretty dangerous thing to do and someone might confuse which one of the four asterisks grants the permissions to all virtual hosts in the cluster.

michaelklishin added a commit that referenced this issue Feb 6, 2023
@michaelklishin
Introduce a CLI command that grants permissions to all virtual hosts
ab99ccf 
Closes #1000
@michaelklishin michaelklishin mentioned this issue Feb 6, 2023
Merged
@michaelklishin michaelklishin added this to the 3.11.9 milestone Feb 6, 2023
mergify bot pushed a commit that referenced this issue Feb 6, 2023
@michaelklishin @mergify
Introduce a CLI command that grants permissions to all virtual hosts
19d327e 
Closes #1000

(cherry picked from commit ab99ccf)

# Conflicts:
#	deps/rabbit/src/rabbit_auth_backend_internal.erl
@coderanger
Copy link
Contributor

coderanger commented Feb 6, 2023
edited
Loading

@michaelklishin I might be misunderstanding the code, that command looks like it only applies to vhosts that exist at that moment? If so, that doesn't really answer the issue. Imagine something like a monitoring user which needs read access to every vhost, even future ones.

@lukebakken
Copy link
Collaborator

that command looks like it only applies to vhosts that exist at that moment

Yes.

If so, that doesn't really answer the issue. Imagine something like a monitoring user which needs read access to every vhost, even future ones

Yes, this feature addresses a major part of the issue. @michaelklishin already made a comment with regard to future vhosts:

One thing that's immediately not obvious to me is what should happen when new vhosts are added, since this is an ongoing maintenance problem

@coderanger
Copy link
Contributor

I would still vote to leave this issue open until the true "all vhosts" solution is worked out :) Or make a new one, either way.

@michaelklishin
Copy link
Member Author

@coderanger yes, it only applies to virtual hosts that already exist. This is how most users interpreted this feature.

We do have a couple of features that "pre-configure" virtual hosts that will be created in the future but this is something very new: ##6172. Something similar for permissions makes sense but it'd need to be designed.

@illotum have you ever had a need for something like @coderanger is describing?

@michaelklishin michaelklishin changed the title Consider a "set user permission for all vhosts" feature Consider a "set user permission for all vhosts" CLI command Feb 6, 2023
mergify bot pushed a commit that referenced this issue Feb 6, 2023
@michaelklishin @mergify
Introduce a CLI command that grants permissions to all virtual hosts
44800f3 
Closes #1000

(cherry picked from commit ab99ccf)

# Conflicts:
#	deps/rabbit/src/rabbit_auth_backend_internal.erl
(cherry picked from commit 19d327e)
@illotum
Copy link

illotum commented Feb 7, 2023

I have not heard of our customers requesting this.

And we don't provision users for operators at all. A little tangential: from the cloud platform perspective vhosts in general feel redundant.

@coderanger
Copy link
Contributor

My specific use case here is KEDA autoscaling, creating a single platform-level "keda" user in Rabbit rather than having to coordinate with every team using it.

@michaelklishin michaelklishin mentioned this issue Feb 7, 2023
Closed
@michaelklishin
Copy link
Member Author

@coderanger I have an outline of the same idea as in #6172 but for permissions in #7208.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelklishin michaelklishin

Labels
enhancement
Projects
None yet
Milestone
3.11.9
Development

Successfully merging a pull request may close this issue.

Introduce a CLI command that grants permissions to all virtual hosts rabbitmq/rabbitmq-server
8 participants
@michaelklishin @h0jeZvgoxFepBQ2C @coderanger @lukebakken @sbert @illotum @cdobbyn @25schmekles